I don't disagree, but I'd like to point out things are even more lopsided than you think. Take a look at the STS system over the time period 1972-1993, and the total budget it received divided by the total number of flights it made. You get an amortized flight cost of one billion dollars!</dr. evil> per launch.
Even assuming NASA's own wildly optimistic launch costs, each Shuttle launch cost $450 million. Those aren't numbers I just made up: those are numbers from NASA's Public Affairs Office.
So with the Shuttle, we're looking at $1.7 billion initial outlay and a recurring cost of $450 million per flight... whereas with a Titan IV-B, we're looking at literally a fraction of that cost, without the risk of killing off astronauts.
Any encryption can still be broken through though brute force
<sigh> You know, I answered just this same question yesterday... </sigh>
As a thermodynamic minimum it takes 4.4 * 10**-26 joules to set a bit. (Well, it takes that much to erase one bit of information. But that's quibbling.) So multiply that by 256, for the number of bits in an AES key, and you get 1.1 * 10**-23 joules to store a key.
Now multiply this by 2**255, which is the number of AES keys you'd have to try to break it by brute force (on average). You get 6.4 * 10**53 joules of energy needed.
The total annual energy output of the Sun is on the order of 10**34 joules. Multiply that by 10**10 to compute the total energy release over the Sun's entire lifespan (yes, this is a nasty kludge of an estimate, I know the Sun's energy output varies) and you get 10**44 joules of energy.
Which means you've only exhausted one billionth of the damn keyspace.
No, you can't break any encryption through brute force. There just isn't enough energy in the universe to do it, even positing thermodynamically-perfect computers operating at 3.2K.
Openbsd is about qualtiy. It has les bugs, which equal less possible exploits, but security is not their objective.
Spoken like someone whose knowledge of security comes from a Web page they read once.
Underline this one and write it in bold: high-quality software is secure software. Software insecurity arises when software either does something it's not supposed to do, or does something it's supposed to do in a way it's not supposed to do it.
When software works exactly as intended, even in the face of an adversary who is deliberately attempting to subvert it into malfunctioning, that software is secure, for practically any realistic definition of "secure". Software which works exactly as designed, which is fault-tolerant and has good failure modes in the event of intolerable faults, is a cracker's worst nightmare.
... Not in the legal sense of the word, at least. You can't walk into a courtroom and say "your Honor, I claim the sky is blue". Sure, in the English sense of the word it's a claim; in the legal sense of the word, it's not a claim because it lacks standing before the court. I.e., great, the sky's blue: why should the court care? Great, IBM helped Linux get ready for the enterprise: why should the court care?
A claim is basically a statement of "... and this is why the court should care". So far, SCO's argument about why the court should care doesn't hold water. I'm not worried.
I've never heard ANYONE claim that Asymmetric Key is harder to break than Symmetric key of same length. Can you provide a reference (obviously all the books I've read on the subject are wrong, as is my view of the axiomatic).
Proofs of security would necessarily involve a proof that P != NP. But, for instance, look at the Rabin public-key system, which is provably as difficult as factoring. Factoring is, as near as anyone in the field can tell, an NP problem. (It may have been proven NP, in fact--I'm not quite sure.) In that case, Rabin is provably as secure as any other NP cryptographic system. Please check the Handbook of Applied Cryptography.
In star trek maybe you can store bits and them take no power
The advantage of speculating Star Trek levels of technology is that even in Star Trek the Second Law of Thermodynamics has to be obeyed. If you can prove, beyond a shadow of a doubt, that the laws of thermodynamics prohibit something from happening, that makes all claims of "yes, but you're overlooking the practical concerns, too" absolutely moot.
If it doesn't work in theory, it can't work in practice and all further discussion is a fool's errand.
The theory of brute-forcing 256-bit ciphers, or symmetric crypto, is completely barking mad. As such, I don't need to worry about practical concerns. I've already proven the theory beneath it is unsound.
How many different 256-bit keys are there? About 10**77.
How many different 512-bit primes are there? About 10**151.
If anything, the likelihood of cracking an asymmetric key by brute force are worse.
Insofar as power, learn what the concept of a thermodynamic limitation is. The thermodynamic limitation is given in terms of joules of energy (actually, it's kT, where k is the Boltzmann Constant and T is the ambient temperature the computer is running at). Once you set the bit, there's no thermodynamic requirement that you continue to supply energy to the circuit.
(Technically, thermodynamics allows you to set bits without expending energy... it's clearing a bit which requires it. Still, that's a pretty trivial detail.)
IOW, there's nothing preventing you from breaking it instantaneously, provided you can deliver all that energy instantaneously. And there's nothing preventing you from taking 10**100 years (barring, perhaps, proton decay and the ultimate state of the universe) if you want to deliver that energy slowly.
The time period doesn't matter. The total energy required is what matters.
You didn't, directly, but you seemed to be making more of the near-break than I think is justified, saying, essentially, that because SKIPJACK is "broken", either the NSA knew it or academia has caught/passed them. Except that the SKIPJACK isn't broken.
If I've been describing Biham's attack as a "break", then I've got egg on my face: you're right, it wasn't a break. It was an extremely significant cryptanalytic result, I think--and I think most of the crypto world would agree with me--but it wasn't a break, in the sense that a break proves the existence of better-than-brute-force against the full cipher.
Perhaps part of the miscommunication here is the way the word "break" is overloaded. In a cryptanalytic sense, any better-than-brute-force attack, no matter how minor, is a break. In a practical sense, any way that lets the key be recovered is a break. DES has no cryptanalytic breaks, but in a practical sense it's already broken through key exhaustion, etc.
I get the sense that you're talking about Biham's attack from a practical standpoint. I'm talking about it from an academic/theoretical one. That Biham was able to break 31 of 32 rounds is pretty unquestionably a stunning cryptanalytic result, but it has little applicability towards breaking SKIPJACK in a practical setting.
Insofar as reasons why I've taken the interpretation that I have--I don't have any strong evidence. I just believe that the NSA isn't all that different from, say, IBM. They're both enormous organizations staffed with fallible human beings, they have enormous resources, and enormous problems of left-hand right-hand. Once I stopped viewing the NSA as being some shadowy government conspiracy and started thinking of them as being populated by fallible human beings, and having the same problems with bureaucracy, red tape, interagency turf battles, etc., I started to think that maybe, just maybe, they weren't the impossibly good great shouting gods of crypto after all--good, certainly. But not gods.
Not quite: all that would prove is that RSA is an NP problem. (In fact, there are some hints in the literature that it's not. If you like, I'll look them up--I don't recall specifics off the top of my head.)
For a proof of security, there would have to be a proof that P != NP.
"Why is DES so resistant to differential cryptanalysis? Why are the S-boxes optimized to make this attack as difficult as possible? Why are there as many rounds as required, but no more? Because the designers knew about it. IBM's Don Coppersmith recently wrote,
The design took advantage of certain cryptanalytic techniques, most prominently the technique of `differential cryptanalysis', which were not known in the published literature. After discussions with the NSA, it was decided that disclosure of the design consideration would reveal the technique of differential cryptanalysis, a powerful technique that can be used against many ciphers. This in turn would weaken the competitive advantage the United States enjoyed over other countries in the field of cryptography.
Adi Shamir responded to this, challenging Coppersmith to say that he hadn't found any stronger attacks against DES since then. Coppersmith has chosen to remain silent on that question."
Where did I accuse the NSA of wrongdoing? I firmly believe the NSA testified truthfully to Congress and that they gave SKIPJACK their best shot. Their best shot just wasn't good enough. A break of 31 of 32 rounds may not be significant in the practical sense, but it's deeply significant in a cryptanalytic sense--and deeply embarassing to the NSA.
However, the fact that *every* cryptographer who's been around for a while has had his or her share of public failures does.
... Which is what the anecdote about Bruce was meant to illuminate.
First, Biham and Shamir invented differential cryptanalysis in 1990; they didn't invent it to attack SKIPJACK
I didn't say differential cryptanalysis: I said impossible differential cryptanalysis. Google for it. You'll find quite a few references. Impossible differential cryptanalysis was not invented in 1990. The first mention of impossible differential cryptanalysis that I can recall offhand dates from August 1998, when Biham used it against SKIPJACK.
Breaking a 31-round reduction of SKIPJACK does absolutely no good if you need to decrypt messages encrypted with 32-round SKIPJACK.
It does you 31 rounds of good, because it means you only have to extend the attack by one more round to get better-than-brute-force. Attacks only get better with time. They never, ever, get worse.
Umm, SKIPJACK *doesn't* have any back doors or weaknesses that we know of.
Where did I claim it did? I only said the NSA swore before Congressional intelligence subcommittees that SKIPJACK didn't have back doors. If you think that means I said "the NSA lied to Congress", that says a lot about what you think of the NSA. It doesn't say much about what I actually wrote. For what it's worth, I believe the NSA testified truthfully. They didn't intentionally weaken it or put in back doors.
Any proof of security for the majority of crypto primitives would lead to a proof that P=NP. I don't feel at all bad about crypto being built on this hypothesis: I think P!=NP, and I suspect it cannot be proven.
All we can do is build the best things we can today with the best tools and knowledge we have today. If we wait until the P=NP? question is resolved until we build crypto, our problems are going to be orders of magnitude worse than if we build things now and later discover P=NP.
Check Google. Short answer: generally speaking it's not being deployed because all the available curves are at least one of
Insecure
Inefficient
Patented by Certicom
As soon as we see patents expire on curves, then I imagine we'll see ECC take off. ECC's been around for over a decade now and has enough cryptanalysis done of it to give a lot of people confidence in it as a security measure, but the Certicom patents are just killing it, deploymentwise.
True story. I won't name the company, nor do I list my employment with this company on my resume'. After you hear the story, you'll know why.
I was recruited from a major telco to work for a competing telco in 1999, ostensibly to work as part of their tiger team. When I showed up for work, there was nobody else on the team. "Don't worry," I was told, "we're hiring more. Just try and get some good design work done on securing our billing back-end, because right now it's wide-open."
Wait, your billing back-end is wide open?
"Yes."
And it's deployed?
"Yes."
Oh, fuck.
So I went to work on the back-end (which, at the time, was handling about $1 billion a year), with a great feeling of doom hanging over my head. When you're getting paid $38K and have no backup and you're told that "if we lose money from insecurity, it's all your fault, regardless of the fact we deployed it without any security to speak of"... well. You can figure it out.
A month later I had a binder full of attacks against the network, and another binder full of design ideas for how to secure it. By "binder", I mean 2-inch binders stuffed to the gills with paper. I was shortly thereafter called into my manager's office. An HR representative was present, so I knew the news was bad.
"Rob," my manager said, "we're concerned that you've made no progress on your task..."
What? I asked. I pulled out the Binders o' Doom from my satchel (we didn't have any secure storage in the development group, so I didn't ever let those binders out of my sight) and set them on her desk.
"Oh," she said as she leafed through the binders. The look on her face was roughly that of an indigenous South Pacific islander who was seeing an indoor toilet for the first time. "Um. Rob. Didn't anyone tell you?"
Tell me what?
"We already have a design we want you to use. You just have to implement it. No, no, you're not anywhere near senior enough to come up with a design for the security of the billing system..."
I breathed a sigh of relief. Sanity at last! And then she handed me a very thin folder.
I opened it up and it was, I shit you not, RFC1991. Classic PGP.
I laughed, handed the binder back, and told her she grabbed the wrong folder. Then she got very angry with me and asked me what, precisely, was wrong with using Classic PGP to secure the back-end?
I gave her the litany:
Classic PGP is used to protect email traffic in transit. It doesn't protect databases, it doesn't separate privileges, it doesn't set up a redundant network, it doesn't do offsite backups, it doesn't make sure your Verisign certs are current.
Classic PGP has been superseded by RFC2440, which fixes a lot of problems in the original spec, like no separate subkeys for encryption and signing.
Classic PGP uses two patented algorithms, and if you can barely afford the $38K budget entry for my salary, there's no way you can afford the patent royalties on a couple of billion dollars of transactions.
Classic PGP is a protocol: it's not a security design.
... and on and on and on.
Finally I asked "so who's the genius who came up with this one?"
Whoops. Turns out said genius was sitting across the desk from me.
By the end of the day I was busy writing Classic PGP in C++, under Management orders. The Sword of Damocles was falling and I was right under it. I protested, loudly and vociferously, until finally I got canned for "not being a team player and not performing according to expectation".
I was climbing in my car to leave the company for the last time when I realized... hey, I still have the Binders o' Doom in my satchel.
I got out of my car and walked back towards the building. An HR representative stopped me at the door and told me that if I walked in, it'd be considered trespass. I explained that I just wanted to drop off something for w
*sigh* I really wish people wouldn't mod up questions which can be adequately answered with a quick Google search. That said--please mod the parent down, since it's not worth Paul's time. But I'm not going to leave the poster emptyhanded, either.
In order to flip a bit requires a thermodynamic minimum of 4.4 * 10**-26 joules of energy. (Ignore the time/power theoretical tradeoff and energyless reversible computing, please: those are still purely theoretical, and we have no computers which can do it. For that matter, we have no computers which can approach the thermodynamic minimum, but let's give the NSA some credit.)
That means it requires a minimum of 1.1 * 10**-23 joules of power to store a 256-bit AES key. Let's assume you have some kind of truly bizarre key cracker that can do an energyless rekey and key trial: all you have to do is have 1.1 * 10**-23 joules of power for each key you want to test. That's the thermodynamic minimum energy you need just to store the key.
To break a 256-bit key by brute force requires, on average, 2**255 operations. Multiply 1.1 * 10**-23 joules of power by 2**255, and you get 6.5 * 10**53 joules of power.
First, it's not well-known that the NSA is years ahead of the pack. That's purely speculation. The NSA says so little about how much they know that anyone who says "they're years ahead" just shows they don't know what they're talking about.
In the '70s, '80s, and on up into the '90s, the NSA was certainly ahead of the civilian cryptanalytic community. DES, for instance, had its S-boxes strengthened against differential cryptanalysis in the '70s--about a decade and a half before the civilian cryptanalytic community discovered differential cryptanalysis.
But recently, there've been tantalizing signs the NSA is not as far ahead as people once thought. The civilian cryptanalytic community has grown tremendously in just the last ten years, and the quality of scholarship is the best we've seen since Turing and Shannon established the field. The civilian cryptanalytic community is now breaking NSA designs.
For instance: the NSA submitted a pretty cool cipher mode (Dual Counter Mode) for use with AES. People were looking forward to the opportunity to beat on an NSA design--and lo and behold, Dual Counter Mode was broken within a matter of weeks. The cryptoparanoids out there will say the NSA intentionally put out a weak mode in order to fool their enemies into underestimating their talents, but--really. Occam's Razor applies to the NSA as much as it applies to anyone else. The simpler explanation is that the NSA got egg on their face, just like everyone else has had. If you're going to be active in the crypto community, you're going to get your fair share of brain-os. Bruce Schneier presented MacGuffin at one conference only to have his brainchild be broken before the conference ended. If something like that can happen to Bruce, why should the NSA be immune?
The really fascinating NSA braino is, undoubtedly, SKIPJACK, the cipher which was going to be the heart of the Clipper Chip. It had a very solid design and 32 rounds. 32 rounds is a lot of rounds--the idea the NSA would make a 32-round cipher struck a lot of people as evidence that the NSA was being extremely conservative.
Eli Biham took a look at the SKIPJACK design and, pretty much on a mental lark, decided to play around with some numbers. Before SKIPJACK had been published a month, Biham had invented an entirely new differential cryptanalysis scheme--"impossible differential cryptanalysis"--and had used it to break 31 of SKIPJACK's 32 rounds.
Remember: SKIPJACK was the NSA's effort at making a safe, strong cipher. They swore before Congressional intelligence subcommittees that SKIPJACK didn't have back doors, and they allowed a small number of outside experts (incl. Dorothy Denning, who's a crypto luminary) to review major portions of the classified cipher.
So either you've got to believe the NSA lied to Congress, deliberately deceived Denning, and that Denning wasn't smart enough to know she was being deceived... or you can believe the civilian cryptanalytic community is getting good enough to challenge the NSA on the NSA's own terms.
Anyway. Come to your own beliefs as to how far ahead the NSA is of the civilian cryptanalytic community. I think the answer is "not very", but reasonable people will certainly disagree on these things.
The very instant someone appeals to authority or credentials, they've lost the debate. It's an enormous logical fallacy. That you're standing on your credentials is a strong sign you shouldn't be taken seriously. People who are incapable of understanding "don't use logical fallacies" in an argument have absolutely no standing to weigh in with any sort of informed opinion on any scientific debate.
You may have a PhD. That doesn't mean you know the first thing about science.
Special Warfare teams draw weapons more or less as they want. They've got access to.45 OHWS,.45 Colt M1911A1, 9mm M9 and M11 pistols, mostly. For a long time SEALs swore by the M11 and Delta swore by the M1911A1.
After the frame and slide problems with the M9 were worked out, the M9 was quickly adopted as a standard Special Warfare sidearm. It's in very common usage throughout the Special Warfare community, mostly because (a) it's good enough for its task, and (b) replacement parts and equipment for the M9 are very easy to come by pretty much anywhere in the world. Unlike, say, if they were using the.45 M1911A1 still, in which case you could forget about ever being able to find ammunition outside of the United States...
No, the reason why it costs billions to replace is that it's an extremely complex vehicle made in tiny quantities,
Why is it extremely complex? Because it has to be man-rated. Once you get rid of the man-rating, the complexity drops and so does the price. Try again.:)
Your analysis fails in Step 1. If the agency doesn't have enough money, it's the agency's job to say "hey, we can't meet our obligations on this budget, so we're going to abandon this program, this one and that one so that we can meet budget."
I don't overdraft my checking account. Why don't I? Because I know that if I do it, the bank won't like me very much, and if I do it enough times I'll have a crappy credit rating and a pissed-off banker. If I don't have enough money, then by God, I just have to give up something.
But if NASA overdrafts its checking account, suddenly that's the fault of the banker, and NASA doesn't have to give up anything? No. Instead, what NASA has is a crappy credit rating (i.e., a lot of people saying "NASA can't be trusted with a budget") and a pissed-off set of bankers (i.e., Congress). The only solution is... NASA has to give up something.
The rules apply to NASA just like they apply to me.
I strongly suggest you take a microeconomics course.
I didn't take it as a slam, don't worry.:) The way I see it, if I'm going to go about quoting numbers, least I can do is provide sources when people ask for them.
Yeah, yeah, I know, that's heresy for Slashdot. Sue me.:)
The Shuttle's avionics are general-purpose computers; they handle a wide range of computational tasks during the mission, and new programs are loaded onto the machines from tape during each mission. So yes, there most definitely is an operating system on the Shuttle avionics--I forget the name of it off the top of my head, though. Some IBM OS they came up with specifically for the Shuttle program.
The avionics are written in, I kid you not, Assembler. Or, rather, an IBM-designed Assembler dialect called HAL/S (High Order Assembly Language / Shuttle).
Begging the question: you can't answer "why does the Shuttle have to be made as safe as possible?" with the answer "because you can't afford to lose a vehicle that costs billions to replace".
After all, the only reason why it costs billions to replace it is because it's made as safe as possible. So what your answer boils down to is "the Shuttle has to be made as safe as possible, because you can't afford to lose a vehicle that's as safe as possible".
It's a very common logical fallacy.
For comparison, the Russian Proton-M rocket can hurl a comparable amount to orbit as the Shuttle, and costs only $100 million for vehicle and launch. By comparison, the Shuttle fleet cost $1.7 billion per vehicle and $450 million per flight.
The amount of money that's wasted on the Shuttle program is nothing short of a national disgrace.
First, the shuttle is not and has not EVER been stripped to a bare air frame
Fortunately, I didn't claim that's what happened. Read my post. I said it was "essentially stripped down to parts and rebuilt", which is factually correct. So many different components are disassembled, inspected, recertified and reassembled that each launch costs 25% that of an entirely new Shuttle. It's extremely fair, given the outrageous refurbishment expenses, to say that each shuttle is "essentially stripped down to parts and rebuilt".
But I didn't claim it was stripped down to the airframe. Although that did happen once, if I recall correctly--Columbia had a bow-to-stern strip-down and refurbishment which lasted from '99-'02.
Some tiles on the Columbia have been in place for it's entire lifetime
IIRC, during Columbia's last refurbishment it had a total overhaul of the TPS.
The ones that need more work get put somewhere and otehr engines brought in to replace the one that needs work
... incurring a huge operational expense. NASA keeps on telling us the Space Shuttle's main engines are the most advanced liquid-fuel engines ever built--which is true--while not telling us that as a result of these engines being built at the limit of aerospace engineering capability, we're lucky to get ten percent of the original life out of them. Gee. Thanks, NASA, for keeping us well-informed.
NASA's budget always seems to be the one that can be cut.
Why shouldn't it be? An embarassingly large portion of NASA is completely unable to live within a budget. Take a look at ISS if you don't believe me--the total costs for ISS are expected to top $100 billion. It was originally pitched for just a couple of billion. When NASA has a factor-of-20 budget overrun, you're damn straight I want NASA's budget cut!
This ain't rocket science. If a governmental agency shows itself to be perpetually incapable of reigning in cost overruns, you slash their budget and tell them to learn how to live within their means. Period.
If NASA had the budget to pay enough folks and for the spare parts to do it, they could launch 26 missions a year
No, they couldn't. The shuttle fleet is not physically capable of 26 flights per year--much less 26 per year per orbiter, as was originally claimed in the '70s.
Also, if you look at just the shuttles that have gone up, yes, the record is bad. But if you look at the entire record....after the shuttle is dead and buried or dead and put on display in the Smithsonian, I bet the record would be lower
The Shuttle is dead. I will be phenomenally surprised if we ever see any significant resumption of Shuttle flights--maybe one or two flights so NASA can say "see, we can do it after all!", but then I expect the fleet to be quietly mothballed. So yeah, we have the numbers right now to look at. The numbers ain't good.
I think the point that really needs made here is that the Shuttle was made to fly through the atmosphere on landing as an airplane. It's this form factor that builds up alot of the expense.
A braindamaged form factor which was only added at the insistence of the U.S. military. Long story of why (makes achieving polar orbits easier, etc.), but it gives the Shuttle better capabilities for launching certain military payloads. Of course, since the 1970s (when the Shuttle was conceived) the percentage of military payload aboard the Shuttle has steadily decreased, to the point where the glider concept is a huge albatross around the neck of the space program.
They made the space shuttle the way the did because air force and navy pilots wanted to fly it
Bullshit. They designed the Space Shuttle that way over the objections of Air Force and Navy pilots. Have you ever seen the numbers on a Shuttle landing? They make carrier landings at night seem safe. The Shuttle comes in blisteringly hot--220mph. A DC-9, which is roughly comparable in size, comes in at 130mph. As a ballpark figure, that means the Shuttle landing gear and braking system has to bleed off roughly three times as much as an airliner. Oh, and I forgot--on an airplane, your wheels and brake system weren't freezing at -250 degrees for a couple of weeks before landing.
Let's also look at abort options. If you're a pilot and your landing gear doesn't come down as you're approaching the runway, no problem--pull up, punch to full 'burner and get some altitude while you and ground control figure out what's happening. In the Shuttle, you don't know until a few seconds before touchdown whether or not your gear works. If it doesn't, well, tough shit: you get to do a 220mph crash into asphalt. You don't get to punch 'burner and try again, or look around for a nice patch of water in which to make an emergency landing.
Are you getting the picture yet? Nobody wants to fly the damn thing, because it doesn't fly. All it can do is drop out of orbit like a brick.
Slashdot Mirror
I don't disagree, but I'd like to point out things are even more lopsided than you think. Take a look at the STS system over the time period 1972-1993, and the total budget it received divided by the total number of flights it made. You get an amortized flight cost of one billion dollars!</dr. evil> per launch.
Even assuming NASA's own wildly optimistic launch costs, each Shuttle launch cost $450 million. Those aren't numbers I just made up: those are numbers from NASA's Public Affairs Office.
So with the Shuttle, we're looking at $1.7 billion initial outlay and a recurring cost of $450 million per flight... whereas with a Titan IV-B, we're looking at literally a fraction of that cost, without the risk of killing off astronauts.
Any encryption can still be broken through though brute force
<sigh> You know, I answered just this same question yesterday... </sigh>
As a thermodynamic minimum it takes 4.4 * 10**-26 joules to set a bit. (Well, it takes that much to erase one bit of information. But that's quibbling.) So multiply that by 256, for the number of bits in an AES key, and you get 1.1 * 10**-23 joules to store a key.
Now multiply this by 2**255, which is the number of AES keys you'd have to try to break it by brute force (on average). You get 6.4 * 10**53 joules of energy needed.
The total annual energy output of the Sun is on the order of 10**34 joules. Multiply that by 10**10 to compute the total energy release over the Sun's entire lifespan (yes, this is a nasty kludge of an estimate, I know the Sun's energy output varies) and you get 10**44 joules of energy.
Which means you've only exhausted one billionth of the damn keyspace.
No, you can't break any encryption through brute force. There just isn't enough energy in the universe to do it, even positing thermodynamically-perfect computers operating at 3.2K.
Openbsd is about qualtiy. It has les bugs, which equal less possible exploits, but security is not their objective.
Spoken like someone whose knowledge of security comes from a Web page they read once.
Underline this one and write it in bold: high-quality software is secure software. Software insecurity arises when software either does something it's not supposed to do, or does something it's supposed to do in a way it's not supposed to do it.
When software works exactly as intended, even in the face of an adversary who is deliberately attempting to subvert it into malfunctioning, that software is secure, for practically any realistic definition of "secure". Software which works exactly as designed, which is fault-tolerant and has good failure modes in the event of intolerable faults, is a cracker's worst nightmare.
... Not in the legal sense of the word, at least. You can't walk into a courtroom and say "your Honor, I claim the sky is blue". Sure, in the English sense of the word it's a claim; in the legal sense of the word, it's not a claim because it lacks standing before the court. I.e., great, the sky's blue: why should the court care? Great, IBM helped Linux get ready for the enterprise: why should the court care?
A claim is basically a statement of "... and this is why the court should care". So far, SCO's argument about why the court should care doesn't hold water. I'm not worried.
I've never heard ANYONE claim that Asymmetric Key is harder to break than Symmetric key of same length. Can you provide a reference (obviously all the books I've read on the subject are wrong, as is my view of the axiomatic).
Proofs of security would necessarily involve a proof that P != NP. But, for instance, look at the Rabin public-key system, which is provably as difficult as factoring. Factoring is, as near as anyone in the field can tell, an NP problem. (It may have been proven NP, in fact--I'm not quite sure.) In that case, Rabin is provably as secure as any other NP cryptographic system. Please check the Handbook of Applied Cryptography.
In star trek maybe you can store bits and them take no power
The advantage of speculating Star Trek levels of technology is that even in Star Trek the Second Law of Thermodynamics has to be obeyed. If you can prove, beyond a shadow of a doubt, that the laws of thermodynamics prohibit something from happening, that makes all claims of "yes, but you're overlooking the practical concerns, too" absolutely moot.
If it doesn't work in theory, it can't work in practice and all further discussion is a fool's errand.
The theory of brute-forcing 256-bit ciphers, or symmetric crypto, is completely barking mad. As such, I don't need to worry about practical concerns. I've already proven the theory beneath it is unsound.
How many different 256-bit keys are there? About 10**77.
How many different 512-bit primes are there? About 10**151.
If anything, the likelihood of cracking an asymmetric key by brute force are worse.
Insofar as power, learn what the concept of a thermodynamic limitation is. The thermodynamic limitation is given in terms of joules of energy (actually, it's kT, where k is the Boltzmann Constant and T is the ambient temperature the computer is running at). Once you set the bit, there's no thermodynamic requirement that you continue to supply energy to the circuit.
(Technically, thermodynamics allows you to set bits without expending energy... it's clearing a bit which requires it. Still, that's a pretty trivial detail.)
IOW, there's nothing preventing you from breaking it instantaneously, provided you can deliver all that energy instantaneously. And there's nothing preventing you from taking 10**100 years (barring, perhaps, proton decay and the ultimate state of the universe) if you want to deliver that energy slowly.
The time period doesn't matter. The total energy required is what matters.
You didn't, directly, but you seemed to be making more of the near-break than I think is justified, saying, essentially, that because SKIPJACK is "broken", either the NSA knew it or academia has caught/passed them. Except that the SKIPJACK isn't broken.
If I've been describing Biham's attack as a "break", then I've got egg on my face: you're right, it wasn't a break. It was an extremely significant cryptanalytic result, I think--and I think most of the crypto world would agree with me--but it wasn't a break, in the sense that a break proves the existence of better-than-brute-force against the full cipher.
Perhaps part of the miscommunication here is the way the word "break" is overloaded. In a cryptanalytic sense, any better-than-brute-force attack, no matter how minor, is a break. In a practical sense, any way that lets the key be recovered is a break. DES has no cryptanalytic breaks, but in a practical sense it's already broken through key exhaustion, etc.
I get the sense that you're talking about Biham's attack from a practical standpoint. I'm talking about it from an academic/theoretical one. That Biham was able to break 31 of 32 rounds is pretty unquestionably a stunning cryptanalytic result, but it has little applicability towards breaking SKIPJACK in a practical setting.
Insofar as reasons why I've taken the interpretation that I have--I don't have any strong evidence. I just believe that the NSA isn't all that different from, say, IBM. They're both enormous organizations staffed with fallible human beings, they have enormous resources, and enormous problems of left-hand right-hand. Once I stopped viewing the NSA as being some shadowy government conspiracy and started thinking of them as being populated by fallible human beings, and having the same problems with bureaucracy, red tape, interagency turf battles, etc., I started to think that maybe, just maybe, they weren't the impossibly good great shouting gods of crypto after all--good, certainly. But not gods.
Not quite: all that would prove is that RSA is an NP problem. (In fact, there are some hints in the literature that it's not. If you like, I'll look them up--I don't recall specifics off the top of my head.)
For a proof of security, there would have to be a proof that P != NP.
"Why is DES so resistant to differential cryptanalysis? Why are the S-boxes optimized to make this attack as difficult as possible? Why are there as many rounds as required, but no more? Because the designers knew about it. IBM's Don Coppersmith recently wrote,
- The design took advantage of certain cryptanalytic techniques, most prominently the technique of `differential cryptanalysis', which were not known in the published literature. After discussions with the NSA, it was decided that disclosure of the design consideration would reveal the technique of differential cryptanalysis, a powerful technique that can be used against many ciphers. This in turn would weaken the competitive advantage the United States enjoyed over other countries in the field of cryptography.
Adi Shamir responded to this, challenging Coppersmith to say that he hadn't found any stronger attacks against DES since then. Coppersmith has chosen to remain silent on that question."Hopefully, this answers your question.
Where did I accuse the NSA of wrongdoing? I firmly believe the NSA testified truthfully to Congress and that they gave SKIPJACK their best shot. Their best shot just wasn't good enough. A break of 31 of 32 rounds may not be significant in the practical sense, but it's deeply significant in a cryptanalytic sense--and deeply embarassing to the NSA.
However, the fact that *every* cryptographer who's been around for a while has had his or her share of public failures does.
... Which is what the anecdote about Bruce was meant to illuminate.
First, Biham and Shamir invented differential cryptanalysis in 1990; they didn't invent it to attack SKIPJACK
I didn't say differential cryptanalysis: I said impossible differential cryptanalysis. Google for it. You'll find quite a few references. Impossible differential cryptanalysis was not invented in 1990. The first mention of impossible differential cryptanalysis that I can recall offhand dates from August 1998, when Biham used it against SKIPJACK.
Breaking a 31-round reduction of SKIPJACK does absolutely no good if you need to decrypt messages encrypted with 32-round SKIPJACK.
It does you 31 rounds of good, because it means you only have to extend the attack by one more round to get better-than-brute-force. Attacks only get better with time. They never, ever, get worse.
Umm, SKIPJACK *doesn't* have any back doors or weaknesses that we know of.
Where did I claim it did? I only said the NSA swore before Congressional intelligence subcommittees that SKIPJACK didn't have back doors. If you think that means I said "the NSA lied to Congress", that says a lot about what you think of the NSA. It doesn't say much about what I actually wrote. For what it's worth, I believe the NSA testified truthfully. They didn't intentionally weaken it or put in back doors.
Any proof of security for the majority of crypto primitives would lead to a proof that P=NP. I don't feel at all bad about crypto being built on this hypothesis: I think P!=NP, and I suspect it cannot be proven.
All we can do is build the best things we can today with the best tools and knowledge we have today. If we wait until the P=NP? question is resolved until we build crypto, our problems are going to be orders of magnitude worse than if we build things now and later discover P=NP.
D'OH!
I am so embarassed. Really. That's one of my pet peeves, and I just did it myself.
As soon as we see patents expire on curves, then I imagine we'll see ECC take off. ECC's been around for over a decade now and has enough cryptanalysis done of it to give a lot of people confidence in it as a security measure, but the Certicom patents are just killing it, deploymentwise.
I was recruited from a major telco to work for a competing telco in 1999, ostensibly to work as part of their tiger team. When I showed up for work, there was nobody else on the team. "Don't worry," I was told, "we're hiring more. Just try and get some good design work done on securing our billing back-end, because right now it's wide-open."
Wait, your billing back-end is wide open?
"Yes."
And it's deployed?
"Yes."
Oh, fuck.
So I went to work on the back-end (which, at the time, was handling about $1 billion a year), with a great feeling of doom hanging over my head. When you're getting paid $38K and have no backup and you're told that "if we lose money from insecurity, it's all your fault, regardless of the fact we deployed it without any security to speak of"... well. You can figure it out.
A month later I had a binder full of attacks against the network, and another binder full of design ideas for how to secure it. By "binder", I mean 2-inch binders stuffed to the gills with paper. I was shortly thereafter called into my manager's office. An HR representative was present, so I knew the news was bad.
"Rob," my manager said, "we're concerned that you've made no progress on your task..."
What? I asked. I pulled out the Binders o' Doom from my satchel (we didn't have any secure storage in the development group, so I didn't ever let those binders out of my sight) and set them on her desk.
"Oh," she said as she leafed through the binders. The look on her face was roughly that of an indigenous South Pacific islander who was seeing an indoor toilet for the first time. "Um. Rob. Didn't anyone tell you?"
Tell me what?
"We already have a design we want you to use. You just have to implement it. No, no, you're not anywhere near senior enough to come up with a design for the security of the billing system..."
I breathed a sigh of relief. Sanity at last! And then she handed me a very thin folder.
I opened it up and it was, I shit you not, RFC1991. Classic PGP.
I laughed, handed the binder back, and told her she grabbed the wrong folder. Then she got very angry with me and asked me what, precisely, was wrong with using Classic PGP to secure the back-end?
I gave her the litany:
Finally I asked "so who's the genius who came up with this one?"
Whoops. Turns out said genius was sitting across the desk from me.
By the end of the day I was busy writing Classic PGP in C++, under Management orders. The Sword of Damocles was falling and I was right under it. I protested, loudly and vociferously, until finally I got canned for "not being a team player and not performing according to expectation".
I was climbing in my car to leave the company for the last time when I realized... hey, I still have the Binders o' Doom in my satchel.
I got out of my car and walked back towards the building. An HR representative stopped me at the door and told me that if I walked in, it'd be considered trespass. I explained that I just wanted to drop off something for w
*sigh* I really wish people wouldn't mod up questions which can be adequately answered with a quick Google search. That said--please mod the parent down, since it's not worth Paul's time. But I'm not going to leave the poster emptyhanded, either.
0 00 0000000
... joules of power.
... joules of power.
In order to flip a bit requires a thermodynamic minimum of 4.4 * 10**-26 joules of energy. (Ignore the time/power theoretical tradeoff and energyless reversible computing, please: those are still purely theoretical, and we have no computers which can do it. For that matter, we have no computers which can approach the thermodynamic minimum, but let's give the NSA some credit.)
That means it requires a minimum of 1.1 * 10**-23 joules of power to store a 256-bit AES key. Let's assume you have some kind of truly bizarre key cracker that can do an energyless rekey and key trial: all you have to do is have 1.1 * 10**-23 joules of power for each key you want to test. That's the thermodynamic minimum energy you need just to store the key.
To break a 256-bit key by brute force requires, on average, 2**255 operations. Multiply 1.1 * 10**-23 joules of power by 2**255, and you get 6.5 * 10**53 joules of power.
Let me repeat this.
It requires
65000000000000000000000000000000000000000000000
By comparison, the Sun's annual power output is in the realm of 1.2 * 10**34 joules.
Or
120000000000000000000000000000000000
Are you beginning to see why it's such a silly question to ask whether or not modern ciphers can be brute-forced with Crays?
Please. Use Google before asking questions.
First, it's not well-known that the NSA is years ahead of the pack. That's purely speculation. The NSA says so little about how much they know that anyone who says "they're years ahead" just shows they don't know what they're talking about.
In the '70s, '80s, and on up into the '90s, the NSA was certainly ahead of the civilian cryptanalytic community. DES, for instance, had its S-boxes strengthened against differential cryptanalysis in the '70s--about a decade and a half before the civilian cryptanalytic community discovered differential cryptanalysis.
But recently, there've been tantalizing signs the NSA is not as far ahead as people once thought. The civilian cryptanalytic community has grown tremendously in just the last ten years, and the quality of scholarship is the best we've seen since Turing and Shannon established the field. The civilian cryptanalytic community is now breaking NSA designs.
For instance: the NSA submitted a pretty cool cipher mode (Dual Counter Mode) for use with AES. People were looking forward to the opportunity to beat on an NSA design--and lo and behold, Dual Counter Mode was broken within a matter of weeks. The cryptoparanoids out there will say the NSA intentionally put out a weak mode in order to fool their enemies into underestimating their talents, but--really. Occam's Razor applies to the NSA as much as it applies to anyone else. The simpler explanation is that the NSA got egg on their face, just like everyone else has had. If you're going to be active in the crypto community, you're going to get your fair share of brain-os. Bruce Schneier presented MacGuffin at one conference only to have his brainchild be broken before the conference ended. If something like that can happen to Bruce, why should the NSA be immune?
The really fascinating NSA braino is, undoubtedly, SKIPJACK, the cipher which was going to be the heart of the Clipper Chip. It had a very solid design and 32 rounds. 32 rounds is a lot of rounds--the idea the NSA would make a 32-round cipher struck a lot of people as evidence that the NSA was being extremely conservative.
Eli Biham took a look at the SKIPJACK design and, pretty much on a mental lark, decided to play around with some numbers. Before SKIPJACK had been published a month, Biham had invented an entirely new differential cryptanalysis scheme--"impossible differential cryptanalysis"--and had used it to break 31 of SKIPJACK's 32 rounds.
Remember: SKIPJACK was the NSA's effort at making a safe, strong cipher. They swore before Congressional intelligence subcommittees that SKIPJACK didn't have back doors, and they allowed a small number of outside experts (incl. Dorothy Denning, who's a crypto luminary) to review major portions of the classified cipher.
So either you've got to believe the NSA lied to Congress, deliberately deceived Denning, and that Denning wasn't smart enough to know she was being deceived... or you can believe the civilian cryptanalytic community is getting good enough to challenge the NSA on the NSA's own terms.
Anyway. Come to your own beliefs as to how far ahead the NSA is of the civilian cryptanalytic community. I think the answer is "not very", but reasonable people will certainly disagree on these things.
Congratulations: you just lost the argument.
The very instant someone appeals to authority or credentials, they've lost the debate. It's an enormous logical fallacy. That you're standing on your credentials is a strong sign you shouldn't be taken seriously. People who are incapable of understanding "don't use logical fallacies" in an argument have absolutely no standing to weigh in with any sort of informed opinion on any scientific debate.
You may have a PhD. That doesn't mean you know the first thing about science.
Special Warfare teams draw weapons more or less as they want. They've got access to .45 OHWS, .45 Colt M1911A1, 9mm M9 and M11 pistols, mostly. For a long time SEALs swore by the M11 and Delta swore by the M1911A1.
.45 M1911A1 still, in which case you could forget about ever being able to find ammunition outside of the United States...
After the frame and slide problems with the M9 were worked out, the M9 was quickly adopted as a standard Special Warfare sidearm. It's in very common usage throughout the Special Warfare community, mostly because (a) it's good enough for its task, and (b) replacement parts and equipment for the M9 are very easy to come by pretty much anywhere in the world. Unlike, say, if they were using the
No, the reason why it costs billions to replace is that it's an extremely complex vehicle made in tiny quantities,
:)
Why is it extremely complex? Because it has to be man-rated. Once you get rid of the man-rating, the complexity drops and so does the price. Try again.
Your analysis fails in Step 1. If the agency doesn't have enough money, it's the agency's job to say "hey, we can't meet our obligations on this budget, so we're going to abandon this program, this one and that one so that we can meet budget."
I don't overdraft my checking account. Why don't I? Because I know that if I do it, the bank won't like me very much, and if I do it enough times I'll have a crappy credit rating and a pissed-off banker. If I don't have enough money, then by God, I just have to give up something.
But if NASA overdrafts its checking account, suddenly that's the fault of the banker, and NASA doesn't have to give up anything? No. Instead, what NASA has is a crappy credit rating (i.e., a lot of people saying "NASA can't be trusted with a budget") and a pissed-off set of bankers (i.e., Congress). The only solution is... NASA has to give up something.
The rules apply to NASA just like they apply to me.
I strongly suggest you take a microeconomics course.
I didn't take it as a slam, don't worry. :) The way I see it, if I'm going to go about quoting numbers, least I can do is provide sources when people ask for them.
:)
Yeah, yeah, I know, that's heresy for Slashdot. Sue me.
The Shuttle's avionics are general-purpose computers; they handle a wide range of computational tasks during the mission, and new programs are loaded onto the machines from tape during each mission. So yes, there most definitely is an operating system on the Shuttle avionics--I forget the name of it off the top of my head, though. Some IBM OS they came up with specifically for the Shuttle program.
The avionics are written in, I kid you not, Assembler. Or, rather, an IBM-designed Assembler dialect called HAL/S (High Order Assembly Language / Shuttle).
Begging the question: you can't answer "why does the Shuttle have to be made as safe as possible?" with the answer "because you can't afford to lose a vehicle that costs billions to replace".
After all, the only reason why it costs billions to replace it is because it's made as safe as possible. So what your answer boils down to is "the Shuttle has to be made as safe as possible, because you can't afford to lose a vehicle that's as safe as possible".
It's a very common logical fallacy.
For comparison, the Russian Proton-M rocket can hurl a comparable amount to orbit as the Shuttle, and costs only $100 million for vehicle and launch. By comparison, the Shuttle fleet cost $1.7 billion per vehicle and $450 million per flight.
The amount of money that's wasted on the Shuttle program is nothing short of a national disgrace.
First, the shuttle is not and has not EVER been stripped to a bare air frame
Fortunately, I didn't claim that's what happened. Read my post. I said it was "essentially stripped down to parts and rebuilt", which is factually correct. So many different components are disassembled, inspected, recertified and reassembled that each launch costs 25% that of an entirely new Shuttle. It's extremely fair, given the outrageous refurbishment expenses, to say that each shuttle is "essentially stripped down to parts and rebuilt".
But I didn't claim it was stripped down to the airframe. Although that did happen once, if I recall correctly--Columbia had a bow-to-stern strip-down and refurbishment which lasted from '99-'02.
Some tiles on the Columbia have been in place for it's entire lifetime
IIRC, during Columbia's last refurbishment it had a total overhaul of the TPS.
The ones that need more work get put somewhere and otehr engines brought in to replace the one that needs work
... incurring a huge operational expense. NASA keeps on telling us the Space Shuttle's main engines are the most advanced liquid-fuel engines ever built--which is true--while not telling us that as a result of these engines being built at the limit of aerospace engineering capability, we're lucky to get ten percent of the original life out of them. Gee. Thanks, NASA, for keeping us well-informed.
NASA's budget always seems to be the one that can be cut.
Why shouldn't it be? An embarassingly large portion of NASA is completely unable to live within a budget. Take a look at ISS if you don't believe me--the total costs for ISS are expected to top $100 billion. It was originally pitched for just a couple of billion. When NASA has a factor-of-20 budget overrun, you're damn straight I want NASA's budget cut!
This ain't rocket science. If a governmental agency shows itself to be perpetually incapable of reigning in cost overruns, you slash their budget and tell them to learn how to live within their means. Period.
If NASA had the budget to pay enough folks and for the spare parts to do it, they could launch 26 missions a year
No, they couldn't. The shuttle fleet is not physically capable of 26 flights per year--much less 26 per year per orbiter, as was originally claimed in the '70s.
Also, if you look at just the shuttles that have gone up, yes, the record is bad. But if you look at the entire record....after the shuttle is dead and buried or dead and put on display in the Smithsonian, I bet the record would be lower
The Shuttle is dead. I will be phenomenally surprised if we ever see any significant resumption of Shuttle flights--maybe one or two flights so NASA can say "see, we can do it after all!", but then I expect the fleet to be quietly mothballed. So yeah, we have the numbers right now to look at. The numbers ain't good.
I think the point that really needs made here is that the Shuttle was made to fly through the atmosphere on landing as an airplane. It's this form factor that builds up alot of the expense.
A braindamaged form factor which was only added at the insistence of the U.S. military. Long story of why (makes achieving polar orbits easier, etc.), but it gives the Shuttle better capabilities for launching certain military payloads. Of course, since the 1970s (when the Shuttle was conceived) the percentage of military payload aboard the Shuttle has steadily decreased, to the point where the glider concept is a huge albatross around the neck of the space program.
They made the space shuttle the way the did because air force and navy pilots wanted to fly it
Bullshit. They designed the Space Shuttle that way over the objections of Air Force and Navy pilots. Have you ever seen the numbers on a Shuttle landing? They make carrier landings at night seem safe. The Shuttle comes in blisteringly hot--220mph. A DC-9, which is roughly comparable in size, comes in at 130mph. As a ballpark figure, that means the Shuttle landing gear and braking system has to bleed off roughly three times as much as an airliner. Oh, and I forgot--on an airplane, your wheels and brake system weren't freezing at -250 degrees for a couple of weeks before landing.
Let's also look at abort options. If you're a pilot and your landing gear doesn't come down as you're approaching the runway, no problem--pull up, punch to full 'burner and get some altitude while you and ground control figure out what's happening. In the Shuttle, you don't know until a few seconds before touchdown whether or not your gear works. If it doesn't, well, tough shit: you get to do a 220mph crash into asphalt. You don't get to punch 'burner and try again, or look around for a nice patch of water in which to make an emergency landing.
Are you getting the picture yet? Nobody wants to fly the damn thing, because it doesn't fly. All it can do is drop out of orbit like a brick.